3 Terms, definitions and conventions
3.1 Overview

This part will use concepts of OPC UA information modeling to describe OPC UA Safety. For the purposes of this document, the terms and definitions given in OPC 10000-1, OPC 10000-3, OPC 10000-6, IEC 61784-3, as well as the following apply.

3.2 Terms
3.2.1 Cyclic Redundancy Check

<value> redundant data derived from, and stored or transmitted together with, a block of data in order to detect data corruption

<method> procedure used to calculate the redundant data

NOTE 1 to entry: Terms “CRC code” and "CRC signature", and labels such as CRC1, CRC2, may also be used in this part to refer to the redundant data.

[SOURCE: IEC 61784-3:2017, 3.1]

3.2.2 error

discrepancy between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition

NOTE 1 to entry: Errors may be due to design mistakes within hardware/software and/or corrupted information due to electromagnetic interference and/or other effects.

NOTE 2 to entry: Errors do not necessarily result in a failure or a fault.

[SOURCE: IEC 615084:2010, 3.6.11]

3.2.3 failure

termination of the ability of a functional unit to perform a required function or operation of a functional unit in any way other than as required

NOTE 1 to entry: Failure may be due to an error (for example, problem with hardware/software design or message disruption).

[SOURCE: IEC 615084:2010, 3.6.4, modified – notes and figures deleted]

3.2.4 fail-safe

ability of a system that, by adequate technical or organizational measures, prevents from hazards either deterministically or by reducing the risk to a tolerable measure

NOTE 1 to entry: Equivalent to functional safety

3.2.5 fail-safe substitute values

values which are issued or delivered instead of process values when the safety function is set to a fail-safe state

NOTE 1 to entry: In this part, the fail-safe substitute values (FSV) are always set to binary "0".

3.2.6 fault

abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function

NOTE 1 to entry: IEV 1910501 defines “fault” as a state characterized by the inability to perform a required function, excluding the inability during preventive maintenance or other planned actions, or due to lack of external resources.

[SOURCE: IEC 615084:2010, 3.6.1, modified – figure reference deleted]

3.2.7 flag

A one-bit value used to indicate a certain status or control information.

3.2.8 Globally Unique Identifier

A globally unique identifier (GUID) is a 128-bit number used to identify information in computer systems. The term universally unique identifier (UUID) is also used. In this part, UUID version 4 is used.

[SOURCE: https://tools.ietf.org/html/rfc4122]

3.2.9 MonitoringNumber

a means used to ensure the correct order among transmitted safety PDUs and to monitor the communication delay. The MNR starts at a random value and counts up with each request. It rolls over to a minimum threshold value that is not zero.

NOTE 1 to entry: Instance of sequence number as described in IEC 617843.

NOTE 2 to entry: The transmitted MNR is protected by the transmitted CRC signature of the ResponseSPDU

3.2.10 Non-safety-

a predicate meaning that the respective object is a “standard” object and has not been designed and implemented to fulfill any requirements w. r. t. to functional safety.

3.2.11 OPC UA Mapper

part of the OPC UA Safety implementation which maps the SPDU to the actual OPC UA services. Depending on which services are used (e.g. client/server or pub/sub), different mappers can be specified

3.2.12 performance level

discrete level used to specify the ability of safety-related parts of control systems to perform a safety function under foreseeable conditions

[SOURCE: ISO 138491:2015, 3.1.23]

3.2.13 process values

input and output data (in a safety PDU) that are required to control an automated process

3.2.14 qualifier

Qualifier is an attribute (bit or Boolean), indicating whether the corresponding value is valid or not (e.g. being a fail-safe substitute value)

3.2.15 residual error probability

probability of an error undetected by the SCL safety measures

[SOURCE: IEC 61784-3:2017, 3.1]

3.2.16 residual error rate

statistical rate at which the SCL safety measures fail to detect errors

[SOURCE: IEC 61784-3:2017, 3.1]

3.2.17 safety communication layer

communication layer above the OPC UA Communication Stack (OPC UA Server API or OPC UA Client API) that includes all necessary additional measures to ensure safe transmission of data in accordance with the requirements of IEC 61508.

The SCL provides several services, the most important ones being the SafetyProvider and the SafetyConsumer.

[SOURCE: IEC 61784-3:2017, 3.1 modified]

3.2.18 SafetyConsumer

Entity (usually software) that implements the data sink of a unidirectional safety link.

3.2.19 safety data

SafetyDataapplication data transmitted across a safety network using a safety protocol

NOTE 1 to entry: The Safety Communication Layer does not ensure the safety of the data itself, but only that the data is transmitted safely.

3.2.20 safety function response time

worst-case elapsed time of a safety function, following an actuation of a safety sensor connected to a fieldbus, until the corresponding safe state of the safety function’s actuator(s) is achieved, in the presence of errors or failures.

NOTE 1 to entry: This concept is introduced in IEC 617843:—, 5.2.4 and is addressed by the functional safety communication profiles defined in that specification.

[SOURCE: IEC 61784-3:2017, 3.1 modified]

3.2.21 safety integrity level

discrete level (one out of a possible four), corresponding to a range of safety integrity values, where safety integrity level 4 has the highest level of safety integrity and safety integrity level 1 has the lowest level of safety integrity

NOTE 1 to entry: The target failure measures (see IEC 615084:2010, 3.5.17) for the four safety integrity levels are specified in Tables 2 and 3 of IEC 615081:2010.

NOTE 2 to entry: Safety integrity levels are used for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems.

NOTE 3 to entry:  A safety integrity level (SIL) is not a property of a system, subsystem, element or component. The correct interpretation of the phrase “SILn safety-related system” (where n is 1, 2, 3 or 4) is that the system is potentially capable of supporting safety functions with a safety integrity level up to n.

[SOURCE: IEC 615084:2010, 3.5.8]

3.2.22 safety measure

measure to control possible communication errors that is designed and implemented in compliance with the requirements of IEC 61508

NOTE 1 to entry: In practice, several safety measures are combined to achieve the required safety integrity level.

NOTE 2 to entry: Communication errors and related safety measures are detailed in IEC 617843:2017, 5.3 and 5.4.

[SOURCE: IEC 61784-3:2017, 3.1]

3.2.23 safety PDU

PDU transferred through the safety communication channel

NOTE 1 to entry: The SPDU may include more than one copy of the safety data using differing coding structures and hash functions together with explicit parts of additional protections such as a key, a sequence count, or a time stamp mechanism.

NOTE 2 to entry: Redundant SCLs may provide two different versions of the SPDU for insertion into separate fields of the OPC UA frame.

[SOURCE: IEC 61784-3:2017, 3.1]

3.2.24 SafetyProvider

Entity (usually software) that implements the data source of a unidirectional safety link.

3.2.25 SafetyBaseID Randomly generated authenticity ID which is used to safely authenticate SafetyProviders having the same SafetyProviderID.

NOTE 1 to entry: Together with the SafetyProviderID, it is the instance of connection authentication as described in IEC 617843.

3.2.26 SafetyProviderID User-assigned, locally unique ID which is used to safely authenticate SafetyProviders within a certain area. All SafetyProviders within this area may share the identical SafetyBaseID.

NOTE 1 to entry: Together with the SafetyBaseID, it is the instance of connection authentication as described in IEC 617843.

3.3 Abbreviations and symbols

BSC

Binary Symmetric Channel

CRC

Cyclic Redundancy Check

FSV

Fail-safe substitute Values

HMI

Human-machine interface

ID

Identifier

LSB

Least significant bit

MNR

MonitoringNumber

MSB

Most significant bit

OA

Operator Acknowledgment

OPC UA PI

OPC UA Platform Interface

PDU

Protocol Data Unit

[ISO/IEC 74981]

p

Bit error probability

PI

Platform Interface

PL

Performance Level

[ISO 138491]

PLC

Programmable Logic Controller

Pre,cond

Conditional residual error probability

PV

Process Values

SAPI

Safety Application Program Interface

SCL

Safety Communication Layer

SFRT

Safety Function Response Time

SIL

Safety Integrity Level

[IEC 615084:2010]

SPDU

Safety PDU, Safety Protocol Data Unit

SPI

Safety Parameter Interface

STrailer

Safety Trailer

3.4 Conventions
3.4.1 Conventions in this part

In this part, the following conventions are used:

  • The abbreviation "F" is an indication for safety related items, technologies, systems, and units (fail-safe, functional safe).
  • The default data that are used in case of unit failures or errors, are called fail-safe substitute Values (FSV) and are set to binary "0".
  • Reserved bit ("res") are set to "0" and ignored by the receiver for avoiding problems with future versions of OPC UA Safety.
  • Terms and names are often written in PascalCase (the practice of writing compound words or phrases in which the elements are joined without spaces, with each element's initial letter capitalized within the compound). Terms or names where two capital letters of abbreviations are in sequence or for separation to a suffix are written with underscores in between.
  • The notation 0x… represents a hexadecimal value.
3.4.2 Conventions on CRC calculation
  • [RQ3.1] Any CRC signature calculation shall start with a preset value of "1".
  • [RQ3.2] Any CRC signature calculation resulting in a "0" value, shall use the value "1" instead.
  • [RQ3.3] SPDUs with all values (incl. CRC signature) being zero shall be ignored by the receiver (SafetyConsumer and SafetyProvider).
3.4.3 Conventions in state machines

Table 2 – Conventions used in state machines

Convention

Meaning

:=

Assignment: value of an item on the left is replaced by value of the item on the right.

<

Less than: a logical condition yielding TRUE if and only if an item on the left is less than the item on the right.

<=

Less or equal than: a logical condition yielding TRUE if and only if an item on the left is less or equal than the item on the right.

>

Greater than: a logical condition yielding TRUE if and only if the item on the left is greater than the item on the right.

>=

Greater or equal than: a logical condition yielding TRUE if and only if the item on the left is greater or equal than the item on the right.

==

Equality: a logical condition yielding TRUE if and only if the item on the left is equal to an item on the right.

<>

Inequality: a logical condition yielding TRUE if and only if the item on the left is not equal to an item on the right.

&&

Logical “AND” (Operation on binary values or results)

||

Logical “OR” (Operation on binary values or results)

Logical “XOR” (Operation on binary values or digital values)

[..]

UML Guard condition, if and only if the guard is TRUE the respective transition is enabled